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(54) Method and system for exchanging sensitive information in a wireless communication 
system 



{57} The present invention relates to a method and 
system for controlling the exchange of sensitive private 
information between a client device and content server 
devices. A proxy server device (208) is ope rati veiy con- 
nected between a wireless client device and the server 
devices to manage distribution of the private informa- 
tion. The proxy server device has a storage area (248) 
to store such information and a privacy manager (228) 



which operates to restrict the release of the information 
to other se rver devices unless a suitable privacy agree- 
ment governing the use of the Information is in place. 
Thus, the exchange, as well as the use and nature, of 
the sensitive information released can be governed by 
one or more privacy agreements established between 
the principle parties. 
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Description 

BACKGROUND OF THE INVENTION 
s Field of the ! nvention 

[0001 j The present invention relates to wireless communication systems and, more particularly, to a method and 
system for providing controlled use of sensitive Information for wireless client devices of wireless communication sys- 
tems. 

m 

Description of the Related Art 

[0002] Writing in 1 948, George Qrweti envisioned a world where Big Brother exercises complete control over its cit- 
izens. Orwell's classic describes a world where Big Brother monitors the everyday conduct of "is citizens through tech- 

is nologicaily advanced equipment, in today's technologically advanced society Big Brother is Big Business and Big 
Business wants information about consumers to improve the production, quality, marketing and distribution of their 
goods and services. Wireless client devices (e.g. cellular phones, pagers and personal digital assistants (PDAs)) rep- 
resent one currently popular technologically advanced piece of equipment. Service providers that administer the net- 
works that service these wireless ciient devices have a considerable amount of personal information about their 

go subscribers. The known personal information can, for example, include identification information, credit information, 
contact information (i.e. what numbers you are calling) and location information gathered by the wireless client devices 
and the networks associated with the wireless ciient devices. 

[0003] The subscribers through their subscriptions to the various wireless services have granted their permission 
for the service providers to be in possession of some of their personal information {e.g., name, account number, loca- 
ls tion). If the service providers release this information to third parties without the permission of the subscribers it might 
be viewed as an unauthorized and, perhaps, unlawful disclosure of private information of their subscribers, 
[0004) One valuable piece of information in the possession of the wireless network service providers is subscriber 
location information. Location information for a wireless client device (e.g., cellular telephone, pager, persona! digital 
assistant (PDA)) can often be obtained directly from the wireless client device or from the network servicing the wireless 
go client device (e.g. GPS, Time Difference of Arrival (TOOA)), Location information has considerable vatue to businesses 
because it allows them to more efficiently deploy their products and services in a fashion that reduces operating costs 
and maximizes profits. This information represents an attractive untapped source of revenue for the wireless network 
service providers. One problem with tapping this source of revenue is that it raises privacy concerns with regard to the 
subscriber. Another problem is that service providers want to provide the location information but, in so doing, do not 
35 want to expose their confidential network topology information. 

[0005] Location information can also be of considerable practical value to subscribers in a variety of situations. 
Emergency service providers (e.g., Police and EMT's) already use location information from wireless ciient device to 
locate callers in need of emergency assistance. Location information could also be of value to subscribers with less 
urgent concerns. For example, a subscriber with an incapacitated automobile in a remote location would be helped if 
so the location Information from his/her wireless client device (e.g., cell phone) could be passed on to an aufomoblie tow- 
ing service. A parent unsure of where to pick up his/her child could obtain location information from a wireless ciient 
device in the possession of the child. 

[0008] Thus, there is a need for establishing ways to control the dissemination of private information, such as loca- 
tion information, of subscribers to wireless network services. 

45 

[0007] Broadly speaking, the invention relates to improved techniques that enable the exchange of sensitive infor- 
mation between client devices and server devices. The exchange, ss well as the use and nature, of sensitive informa- 

so tion released can be Sw^f^dJ^/on^^^ between the principle parties, namely, 

a client devic e and a content, g gryer. A proxy server can be used to establish privacy a^reern^ntsjwith content servers 
(service providers) in at least two ways, A first way is through configuration of client devices in which a^rrocysejw^cjo 
manage a list of real ms f e.t>., URljjjhat are stewed sensjttye iMfitmation (e.g., location reporting). A second way is 
through negotiation in which the proxy server acts as a proxy for agreement negotiation, in one implementation, the 

ss agreement negotiation can be in accordance with Platform for Privacy Preferences (P3P) {See www.w3.org). The 
invention is particularly well suited for wireless communication systems that support wireless client devices. 
[0008] The invention can be implemented in numerous ways including, as a method, an apparatus, a computer 
readable medium, and a computer system. Several embodiments of the invention are discussed beiow. 
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[0009] As a method for controlling exchange of private information associated with a client device, one embodiment 
of the invention includes the operations of: receiving a request from the client device; determfnina,wh elhex.aflrfvacy. 
a greement is n eeded to respond to the request; negotiating a privacy agreement that governs the exchange of the pri- 
vate hformatfonwHSfa^tviby agreement is'needed; and thereafter producing a response to the request. 

s [0010] ~ As a method for exchanging private information associated with a client device to a server device via a proxy 
server, one embodiment of the invention includes the operations of: establishing an authorization agreement that ena- 
bles the proxy server to negotiate privacy agreements with server devices on behalf of the client device; receiving a 
request at the proxy server; receiving a proposed privacy agreement from the server device associated with the 
request; accepting the proposed privacy agreement as a privacy agreement by the proxy server for the client device 

tc when in accord with the authorization agreement; and providing the private information to the server device after estab- 
lishment of the privacy agreement 

[0011] As a method for controlling exchange of private information associated with a client device supported by a 
carrier network infrastructure, one embodiment of the invention includes the operations of: receiving a request from the 
client device, the request being directed to a server device; determining whether a privacy agreement is needed to 
♦5 respond to the request; determining whether the server device is authorized to receive the private information associ- 
ated with the ciient device when it is determined that a privacy agreement is needed; and providing the private informa- 
tion to the server device associated with the request when it is determined that the server device is authorized to 
receive the private information associated with the ciient device. 

[0012} As a system for controlling information exchange between a wireless client device and server devices, the 

so wireless client device being supported by a wireless network, one embodiment comprises a proxy server device oper- 
ative^ connected between the wireless ciient device and the server device. The proxy server device manages distribu- 
tion of private information associated with the wireiess ciient device to the server devices. The proxy server device 
includes at feast a storage area and a privacy manager. The storage area stores information received from at least one 
of the wireiess ciient: devices and from the wireless network. The privacy manager operates to restrict the release of the 

?s information received from the wireless client device and the wireless network to the one or more of the server devices 
unless a suitable privacy agreement governing the use of the information is in place for the one or more server devices. 
[001 3J As a computer readable medium including computer program code for controlling exchange of private infor- 
mation associated with a client device, one embodiment of said computer readable medium includes at least: computer 
program code for receiving a request from the client: device; and computer program code for negotiating a privacy 

30 agreement that: governs the exchange of the private information. 

[0014] As a computer readable medium including computer program code for exchanging private information asso- 
ciated with a client device to a server device via a proxy server, one embodiment of said computer readable medium 
includes at least computer program code for establishing an authorization agreement that enables the proxy server to 
negotiate privacy agreements with server devices on behalf of the ciient device; computer program code for receiving 

as a request at the proxy server; computer program code for receiving a proposed privacy agreement from the server 
device associated with the request; computer program code for accepting the proposed privacy agreement as a privacy 
agreement by the proxy server for the client device when in accord with the authorization agreement; and computer pro- 
gram code for providing the private information to the server device after establishment of the privacy agreement. 
[0015] As a computer readable medium including computer program code for controlling exchange of private infor- 

-«u mation associated with a client device supported by a carrier network infrastructure, one embodiment of said computer 
readable medium includes at least; computer program code for receiving a request: from the client device, the request: 
being directed to a server device; computer program code for determining whether the server device is authorized to 
receive the private information associated with the client device; and computer program code for providing the private 
information to the server device associated with the request when said determining determines whether the server 

45 device is authorized to receive the private information associated with the client device determines that the server 
device is authorized to receive the private information associated with the client device. 

[0016] The advantages of the invention are numerous. Different: embodiments or implementations may yield one or 
more of the following advantages. One advantage of the invention is that subscribers to networks (e.g., wireless net- 
works) can control the release of their information over the networks. Another advantage of the invention is that ciient 

so devices {subscribers} of networks can control the release of their information with respect to server devices on the net- 
works. Still another advantage of the invention is that a proxy server can negotiate privacy agreements on behalf of cii- 
ent devices. Yet another advantage of the invention is that a proxy server can transform various location data formats 
without exposing confidential network topology information. Yet stii! another advantage of the invention is that the proxy 
server can add sensitive information it otherwise has access to {e.g., subscriber data} based on privacy agreements 

as that are under control of client devices (or end users) 

[0017] Other aspects and advantages of the invention will become apparent from the following detailed description 
taken in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of the inven- 
tion. 
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B RIEF DESCRIPTION OF THE DRAWINGS 

[001 S] The invention will be readily understood by the following detailed description in conjunction with the accom- 
panying drawings, wherein like reference numerals designate like structured elements, and in which: 

s 

Figure i is a block diagram of a communications system according to an embodiment of the invention; 
Figure 2. is a block diagram of a proxy server device seconding to one embodiment of the invention; 
Figure 3 is a block diagram of a wireless client device according to one embodiment: of the invention; 
Figure 4 illustrates a representative wireless client device request according to one embodiment of the invention; 
w Figure 5 illustrates network information that may be provided to a proxy server device by wireless network accord- 
ing to one embodiment of the invention; 

Figure 6 illustrates information provided to the server device in response to a request: for information seconding to 
one embodiment of the invention; 

Figure 7 is a process diagram that represents a private information exchange sequence according to one em bod i- 
>s merit of the invention; 

Figure 8 is a flow diagram of client-side location reporting according to one embodiment of the invention; 
Figures 9A - 9C are flow diagrams of proxy location processing according to one embodiment of the invention; and 
Figure 1 0 is a flow diagram of server-side location processing according to one embodiment of the invention. 

so .DETAILED DESCRIPTION OF THE INVENTION 

[0019] in the following description, numerous specific details are set forth in order to provide a thorough under- 
standing of the present invention. However, it will become obvious to those skilled in the art that the present invention 
may be practised without these specif ic details. The description and representation herein are tne common means used 
as by those experienced or skilled in the art to most effectively convey the substance o\ their work to others skilled in the 
art. In other instances, well known methods, procedures, components, and circuitry have not been described in detail 
to avoid unnecessarily obscuring aspects of the present invention. 

[0020] The invention relates to improved techniques that enable the exchange of sensitive information between cli- 
ent devices jtnd server devices. The exchange, as weii as the use and nature, of sensitive information released can be 

30 governed by one or more privacy agreements established between the principle parties, nameiy, a client device and a 
content server. A proxy server can be used to establish privacy agreements with content servers (service providers) in 
at least two ways. A first way Is through configuration of client devices in which ajsroxy server can manage a iist of 
realms (e.g., URtM.that are allowed sensitive .ihformatiop (e.g., location reporting), A second way is through negotiation 
Th which the proxy server acts as a proxy tor agreement negotiation. In one implementation, the agreement negotiation 

35 can be in accordance with P3P. "" 

[0021 ] The invention pertains to techniques that enable privacy agreements to be established between wireless cli- 
ent devices (e.g., cellular telephones, pagers, personal digital assistants, vehicle navigation systems, telematics 
devices, etc.) and server devices, connected via a proxy server device which acts as a trusted third party. Once a pri- 
vacy agreement is established between a wireless client device and a server device, the server device is able to obtain 

<» and utilize certain private (or sensitive) Information from the wireSess client device or the proxy server device therefor. ' 
Although the private {or sensitive) information can include a wide range of information, the discussion below focuses on 
location information. Additionally, the form of the- location information may be presented in many different formats (e.g., 
latitude and longitude, map coordinates, particular address, etc.). 

[0022] A wi reiess client device may pass location information to a proxy server device each time It makes a request. 

4& The proxy server device may also receives location information on the wireless client device from the wireless network 
associated with the wireless client device. The proxy server device, upon receiving both sets of information, may per- 
form canomcaitzatson and reconciliation processes on the two groups of information. The canon'scalized and reconciled 
location information is only released by the proxy server device to a remote service device after a privacy agreement 
has been established. For example, location information relating to a particular wireless client device wili not be 

so released to a remote server device unless or until a privacy agreement is in place between the particular wireless client 
device and the remote server device, 

[0023] Wireless client devices, also referred to as mobile devices or two-way interactive communication devices, 
include but are not limited to cellular telephones, personal digital assistant (PDA) like devices, two-way paging devices, 
wireless capable remote controllers, vehicle navigation systems or telematics devices. These devices typically have 
55 considerably less processing and memory resources than are found on desktop and laptop personal computers. The 
wireless client devices, which are not a combination of a personal computer and a wireless communication module, 
have a small display screen and a compact user interface for interactions with server devices. 
[O024J Figure 1 is a block diagram of an info rmation retrieval system according to one embodiment of the invention. 
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Landnet 11 S3 is a fandt'sne network that may be the Internet, an intranet or a data network of other private network*. More 
generally, the landnet 11 6 is a wired network. Coupled to landnet 1 18 Is a server device 120, As an example, the server 
device 1 20 may be a workstation computer such as is available from SUN Microsystems Inc. (ssofiS&siaLCCSl). The infor- 
mation stored by the server device 120 may be hypermedia information. Additionally, the server device 120 may also 
s have a firewall. 

[0025] Airnet 104 is a wireless communications network. Further, it will be appreciated that the airnet can use a 
wide variety of wireless networks, examples of which include Cellular Digital Packet Data (GOPD), Global System for 
Mobile Communications (GSM), Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA), to 
name a few. More generally, the airnet 1 04 is a wireiess network. 

jo [0026] Serviced by airnet 1 04 are a plurality of wireless client devices f 00, also referred to as two-way Interactive 
communication devices, though only one such device is shown in Figure 1. Wireless client device 100 is capable of 
communicating wireiessiy with a wireiess carrier infrastructure that generally comprises a base station and an opera- 
tions and maintenance center associated with airnet f 04. The base station controls radio or telecommunication links 
with mobile devices, including two-way wireiess interactive communication devices. The operations and maintenance 

is center can include a mobile switching center that performs the switching of cafls between the mobile devices and other 
fixed or mobile network users. Further, the operations and maintenance center can manage mobile services, such as 
authentication, and oversees the proper operation and setup of the wireiess network. Wireless network location infor- 
mation, aiso referred to as Network Location Objects (NLOs), relating to each of the managed wireless client devices 
can be determined by a NLO device 1 1 2 which is accessible via airnet 1 04 or land net 1 1 6, 

so [002?! Between airnet 104 and landnet 1 16 is a proxy server device 108 functioning as a network gateway server. 
The proxy server device 108 may, for example, be a workstation or a personal computer. The communication protocol 
in airnet 104 is often different from that in landnet 100. Hence, one of the functions that proxy server device 108 may 
perform ts to map or translate one communication protecol to another, thereby wireless client device 100 coupled to air- 
net 1 04 can communicate with any of the server devices coupied to landnet 1 16 via proxy server device 108, The proxy 

ss server device 1 08 may also provide for subscriber account storage and management, configuration services, and loca- 
tion information determination and/or storage. Further, the proxy server device 108 can provide for tile management, 
negotiation and storage of privacy agreements. 

[0028] There are various ways to provide the location Information {or sensitive information) to the content server. In 
the principal approach discussed below, the client device sends its location with some or ail of its requests to content 
30 servers. Typically, the requests will be directed first to a proxy server which controls the release of the location informa- 
tion to the content server on behalf of the client device. According to other approaches, the proxy server can ask the 
client device for the location information {or other sensitive information). These other approaches can, for example, be 
implemented by (1 ) propagating an error back to the client device that requests the location information (e.g., PSP), (2.) 
returning trusted executable content that requests the iocation information (e.g., MMP), or (3} triggering a separate di- 
ss eni/server location determining protocol (see, e.g., www.snaptrack.com). 

[0029] According to the principal approach, proxy server device 108 receives a Handset Location Object (HLO) 
from wireless client device 100 when a request is sent from wireless client device 100 to proxy server device 108. The 
Handset Location Object (HLO) is the location of wireless client device 1 00 (handset) as determined by wireless client 
device 100, At periodic intervals or when requested, proxy server device 108 receives a Network Location Object 
40 {NLO). The Network Location Object (NLO) is the location of wireless client device 100 as determined by the network 
(e.g., airnet 1 04). These locations or positions may be determined by GPS. Time Distance of Arrival or similar locating 
systems, which are we!! known in the art. Proxy server device 108 processes the Handset Location Object (HLO) and 
the Network Location Object (NLO) and generates an Absolute Location Object (ALO) which represents a reconciliation 
of the NLO and HLO. Alternatively, a separate network element can receive the HLO and NLO and then generate the 
45 ALO, 

[0030] When the dissemination of location information for wireless client devices is involved, the information 
retrieval system works as follows. Wireless client device 100 forwards a request via proxy server device 108. Proxy 
server device 108 forwards the request to server device 120. Typically, server device 120 is identified by a Uniform 
Resource identifier (URl) or some similar identifier. Server device 120 then requests location and perhaps other private 

so information (e.g., name, phone number, demographic Information, etc.}. Aftemativeiy, server device 120 may also 
request location and other private information on wireless client device 1 00 independent of wireiess client device 1 00 
submitting a request. Proxy server device 1 0S makes a determination as to whether ^n^tJhflf 0 previo usly existin g 
privacy agreement associated with the server device 1 20 and wifeless ejjent .device. 1 00. If there is no privacy agree- 
ment in piaeX^tWmusTBT negotiated ^cT^StH^ 6 ^^^ 1 ^ of private informafi'onlincluditig location' and 

ss otjjei^Kfrj^ device 108 (or a separate network device) performs a canonlcalization (e.g., transfor- 

mation) process on the HLOs received from wireiess client device 1 00 and NLOs from NLO storage device 1 1 2. and 
then (resubmits the request to the server with the sensitive data attached. 

[0031] According to one embodiment, the communication protocol used by server device 120 is the well known 
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HyperText Transfer Protocol (HTTP) or a secure version SHTTP, and runs on Transmission Control Protocol (TCP) and 
controls the connection to proxy server device 1 08, and the exchange of information therebetween. The communication 
protocol between wireless cfient device 1 00 and proxy server device 1 08 via airnet 1 04 is, for example. Handheld 
Device Transport Protocol (HDTP) {formerly known as Secure Uplink Gateway Protocol (SUGP)), which preferably runs 

5 on User Datagram Protocol {UDP) and controls the connection of a Handheld Device Markup Language (HOML) web 
browser in wireless client device 1 00, to proxy server device 1 OS, HOML, similar to that of HTML, is a tag based docu- 
ment language and comprises a set of commands or statements that specify how information displayed on a small 
screen of the wireless client device 1 00. One skilled in the art will appreciate that the present invention can be practised 
using other communications protocols {e.g.. Wireless Session Protocol (WSP), Hypertext Transport Protocol (HTTP), 

w Wireless Transport Protocol (WTP), and markup languages {e.g.. Compact Hypertext Markup Language (cHTML), 
Extensible Markup Language (XML) and Wireless Markup Language (WML}). 

[0032] it should be noted that HOTP is a session-level protocol that resembles HTTP but without incurring the over- 
head thereof and Is highly optimized for use in thin devices, such as mobile devices that have significantly less comput- 
ing power and memory than a desktop personal computer. Further, It is understood to those skilled in the art that UDP 

is does not require a connection to be established between a client and a server device before information can be 
exchanged, which eliminates the need of exchanging a large number of packets during a session creation between a 
client and a server device. Exchanging a very small number of packets during a transaction is a desired feature for a 
mobile device with very limited computing power and memory to effectively interact with a iandllne device, 
[0033} Some of the features in wireless client device 100 that make the disclosed system work more efficiently are 

so described below. According to one embodiment, wireless client device 1 00 includes a display screen 130 and a phone 
keypad 140 which allow a user thereof to communicate interactively with wireless client device "00. Phone keypad 140 
preferably provides a typical phone keypad, a pair of generic buttons and a set of arrow buttons. Further, it is to be 
understood by those of ordinary skill in the art that the present invention may be practised using input interfaces (e g., 
softkeys, iconic screens) other than a phone keypad. 

25 [0034} Wireless client device 1 00 includes a working memory where compiled and linked processes of the present 
invention are typically stored as a client module that causes wireless client device 100 to operate with, for example, 
proxy server device 108. Upon activation of a predetermined key sequence utilizing phone keypad 140, for example, a 
microcontroller within wireless client device 100 initiates a communication session request to proxy server device 108 
using the client module in the working memory. Upon establishing the communication session, wireless client device 

so 100 typically receives HDML, WML, HTML. XML, xHTML or other content from proxy server device 114 and stores 
(caches) the content in the working memory. 

[0035] As used herein, a display screen is the physics! display apparatus in a wireless client device, such as a 4- 
line by 20-character Liquid Crystal Display (LCD) screen. A screen display is an image presented or displayed on the 
display screen. Further it Is understood that a display screen having display lines is only for illustrative purpose and 
35 many display screens in reality are graphics-based and do not necessarily have distinct display lines and it wifl be 
appreciated that the principles of this invention are equally applicable thereto, 

[0036] Figure 2 illustrates a functional block diagram of proxy server device 208 which may represent proxy server 
device 108 of figure i , To avoid obscuring the principle aspects of the present invention, well-known methods, proce- 
dures, components and circuitry in proxy server device are not described in detail. Further, it is understood to those 
■m skiiied in the art that a server device used herein pertains to a piece of hardware equipment that comprises one or more 
microprocessors, working memory, buses and interfaces and other components. On the other hand, a server module 
herein means processes (i.e., software) used within the server device io perform designated functions through the parts 
and components in the server device. 

[003?| Referring to Figure 2, proxy server device 208 comprises a Landnet Control Protocol (LCP) interface 252 
45 that couples to LANDNET 256 {e.g., LANDNET 116 of Figure 1), a Wireless Control Protocol {WCP) 21 2 that couples 
to AIRNET 204 (e.g., AIRNET 104 of Figure 1) via a carrier's infrastructure {not shown), a server module 218 coupled 
between LCP interface 252 and WCP interface 212, a processor (or processors) 244, and storage capability £48, 
[0038] According to one embodiment of the invention, several applications have been incorporated in server mod- 
ule 21 8 to provide for the integration and management of account: information, location information, and privacy agree- 
so ments. These functional modules include an account interface 232, an account manager 236, a location manager 224, 
and a privacy manager 228, 

[0039J Account manager 236 and account interface £32 manage a plurality of user accounts for alf the wireless cli- 
ent devices serviced by proxy server device 208. it is understood that the user accounts may be stored in another net- 
work server coupled through LANDNET 256. in other words, the user accounts can be kept in a database that is 
55 accessible by any computing devices {e.g„ server device) coupled to LANDNET 258 and can be collected or fetched 
therefrom. The user accounts may contain information in excess of thai which is required to manage the user account. 
For example, in addition to a device identifier {e.g., 93845823) and a subscriber IO (e.g., 881234587- 
I0900„pn, mobile, xyz.net) the account information may also contain user information (e.g., credit- related information, 
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demographic information and persona! ctam). This information is often private {or sensitive) and thus la registered with 
the privacy manager 228 for purposes of controlling its release to third parties, 

[0Q4QJ Location manager 224 receives Handset Location Objects (HLQs) from wireless client devices, and receives 
Network Location Objects (Nl.Os) from the wireless networks supporting wireless client devices. This information is 

s subjected to a reconciliation process whereby the location manager 224 compares the two location objects and renders 
an Absolute Location Object (ALO) which represents its bast guess as to the actual location of the wireless client 
device, Additionally, the Absolute Location Object {ALO) may be translated to a particular format (e.g., latitude & longi- 
tude, map coordinates, address) requested by a server device desiring location information on a particular wireless cli- 
ent device, ^ iu «ty jggggjgf.. EBB mtHnffg** pw»«yktii>g prfyany ftgjgfiggf** 8 and. acts as a negotiating agent in 

io estabjshing new privacy agreements between wireless client devices and server devices, in its capacity as negotiating 
agent, privacy manager 228 may generate user interfaces for the participants {e.g., art HDML user interface for the wire- 
less client devices) which [.define the Mormafe^^ the term of the agreement (e.g., expiration 
date/time) and how that Information may be used. Once a privacy agreement has been established between server 
devices STpfo^'j^f!i».r,jjsyjC8.^B i the requested private data can be supplied to the requesting server device in 

is ' accordance with the terms and conditions 'oflnTjWvacy afgeeroertt . For purposes of optimizing the process, the wire- 
less client device and proxy server device 208 can establish a standing agreement, which pre-establishes terms and 
conditions for the release of location and related information, 

[0041] Each of the wireless client devices, such as wireless client device 300 shown In Figure 3, Is assigned a 
device identifier (fO). A device ID may be- a phone number of the device or a combination of an internet Protocol (IP) 

go address and a port number, for example: 204.163.185.132:01905 where 204.183.165.132 is the IP address and 01905 
is the port number. The device ID is further associated with a subscriber ID authorised by a carrier and stored in the 
associated proxy server device during activation of a subscriber account for wireless client device 300, The subscriber 
ID may take the form of, for example, *86i 234567-1 090O..pn.mobi le.att.net* for AT&T Wireless Service, but it is never- 
theless a unique identification to wireless cilent device 300. In other words, each of wireless client devices serviced by 

25 a proxy server device has a unique device ID that corresponds to a respective user account also stored in proxy server 
device. Additionally, this unique identifier may be used to store user specific information, namely, private information 
(e.g., credit Information, demographic information, location information, and other personal data). Aitemativeiy, the 
access could be anonymous access yet still utilize location information. 

[0042] Figure 3 shows a wireless client device 300 according to one embodiment which includes a Wireless Control 
so Protocol (WCP) interface 328 that coupfes to a carrier network via a A! BNET 340 to receive incoming and outgoing data 
signals. Device identifier (ID) storage 332 stores and supplies a device ID to WCP interface 328. The device ID identi- 
fies a specific code that is associated with wireless client device 300 and direetiy corresponds to the device ID in the 
user account typically provided in proxy server device (not shown). In addition, wireless client device 300 includes a cli- 
ent module 308, a processor 304 and a memory 324 that together control the overall operation of wireless client device 
35 300. Client module 308 performs many of the processing tasks performed by wireless client device 300 including: 
establishing a communication session with a proxy server device via AIRNET 340, requesting and receiving data from . 
the carrier network, displaying information on a display screen 318 thereof, and receiving user input from keypad 312. 
The client module 308 is coupled to WCP interface 328 for the establishment of a communication session and the 
requesting and receiving of data. Additionally, the client module 308 operates, among other things, a browser, com- 
40 moniy referred to as micro- browser, which requires much less computing power and memory than do the well-known 
HTML browsers, The micro-browser is, preferably, a Handheld Device Markup Language (HDML) micro-browser from 
Phone.com, inc. located at 800 Chesapeake Drive, Redwood City, CA 94063. Additional details on accessing a (proxy) 
server device from a mobile device including a (micro) browser are described in U.S. Patent No. 5,809,415, which is 
hereby incorporated by reference. Wireless client device 300 may further include voice circuitry 336 (e.g., a speaker 
45 and a microphone and an encoder/decoder 320 that enable {together with other components) the wireless client device 
300 to support a teiephone mode of operation as we!! as a network (data) mode of operation. 
[0043} Prior to describing the invention in further detail, an illustrative example of an accepted privacy agreement 
is provided in accordance with the principles of this invention. This example is tor purposes of illustration only and is not 
intended to limit the invention to the particular application or feature described. The markup language used for the fal- 
sa lowing example is Extensible Markup Language (XML). This markup language is presented for purposes of illustration 
and not limitation. One skilled in the art will appreciate that the present invention can be practised using other markup 
languages {e.g., Compact Hypertext Markup Language (cHTML), Hypertext Markup Language {HTML}, Wireless 
Markup Language (WML), and Handheld Device Markup Language (HDML)), A representative accepted proposal for 
a privacy agreement is as follows: 
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< ?xml:namespace ns = "http//www,w3,org/TR/1 898/WD-P3P1 0- 
syntax#proposa!.DTD" prefix » "p3p"?> 

<?xml:namespace ns = "http://www.w3.Org/TR/WD-rdf-syntax#" 

prefix ~" RDF"? > 

< RDF:RDF> <PR0P realm « H http://www.towing.com/roadservice/" 

entity * "Towing" agreeiD *="94df1 293a3e51 9bb" 
assurance =« "http://www.TrustUs.org* > 
<USES> 

< STATEMENT purp = " 2,3" recpnt = "CT id = "0" 
consq » "quick towing $ervica" > 

<W!TH> <PRERX name « "User," > 
<REF name = "Last Name7> 

< REF name -'First Name" optional -T/> 

< REF name - "Location" / > 
< /PREFIX >< /WITH > 

< /STATEMENT > 

</USES> 

<USES> 

< STATEMENT action = "read&write" purp~"0" recpnt- "0" fd-"1"> 



<REF name = "Sending a Tow Truck."/ > 

< /STATEMENT > 

</US£S> 
< DISCLOSURE discURi = "http:// 

www.towingxom/PrivacyPractice.htm!'" access = "3" ther = "0,1 7> 
</PROP> </RDF:RDF> 



[00441 The representative accepted proposal is in accordance with the Personal Privacy Preferences (P3P) archi- 
tecture. The definitions of the principle components of the proposal of the privacy agreement are described beiow: 
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<PROP> 

includes one or more statements. Each statement includes a set of 
disclosures as applied to a set of data elements, 
agree! D 

the agreementfO (fingerprint of an accepted proposal) 
final 

signals the eventual conclusion of the negotiation 
propURI 

URI at which a proposal may be fetched 
postURI 

URI which information may be transmitted to 
realm 

the list of Uftts to which the proposal applies, 
entity 

a text field used to describe the legal entity providing the service and 
entering into the agreement with the user agent, 
assurance 

a service that attests that the entity will abide by its proposal, follows 
guidelines in the processing of data, or other relevant assertions. 
<> agrexp 

the date on which an agreement, if reached, will expire. Default is 6 
months. The agreement expiration Is the last date when a user agent can transfer 
data to the service under the agreement. The service continues to be bound by 
the restrictions of the agreement for data collected under the agreement, even 
after the expiration. Proposals expire after the time Indicated by the "EXPIRES* 
HTTP header. The default expiration is 1 hour, 
optional 

indicates whether or not the proposal is optional. 

[0045] figure 4 illustrates a representative wireless cKent device request 400. Wtreiess client device request 400 
may contain a resource request 402 and a handset location object (HLO) 404. Trse resource request 402, for example, 
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contains an address (e.g., Uniform Resource indicator {UR I}). 

[0046J Figure 5 'illustrates network information &Q0 that may be provided to a proxy server device by wireless net- 
work. Network information 500 may contain ceil site identification 504, subscriber identification 50B, and a network loca- 
tion object (NLO) 510. 

s [0047] Figure 6 illustrates information 800 provided to the server device in response to a request for information. 
The information 600 provided to the server device 600 in this example includes the request 802 for information (by wire- 
less client device), absolute location object 604, and other private information 60S as per an existing privacy agreement 
[0048J Figure 7 is a process diagram 700 that represents a private information exchange sequence according to 
one embodiment of the invention. The private information exchange sequence is between a client and a server. In one 

jo implementation, the client is a wireless client device and the server is a content server, 

[004S] The private information exchange sequence initially begins with the client issuing a request (701), The 
request Is tor a particular URL. The server receives the request issued by the client and then determines whether a pri- 
vacy agreement is needed for access to the requested URL (702). As an example, the server can require a privacy 
agreement to ailow access to certain URLs. For example, the server can require a privacy agreement when the 

is requested URL requires use of the client device's private data (e.g., location) in order to process the requested URL. 
When the sewer does determine that a privacy agreement is needed, the server returns to the client a proposed privacy 
agreement for the private data (703). in other words, the initial request is denied and the response returned is the pro- 
posed privacy agreement. The client can then accept the proposed privacy agreement or continue to negotiate the 
terms of the privacy agreement, in any case, after the privacy agreement has been agreed fo (704), the client re-issues 

so the request for the particular URL (705). Here, the re-issued request includes not only the particular URL but also the 
private data pertaining to the client device. In one implementation, the private data is attached to the URL and forms 
part of the request. In an alternative implementation, the private data can be provided as meta-data for the request, in 
response to the re-issued request, the server will process the request to retrieve the information associated with the 
particular URL while using the private data in processing the request. A response is then returned from the server to 

25 the client {706}, thus completing the request for information. 

[0050] Figures 8-1 0 are flow diagrams of representative request and response processing in which private informa- 
tion is exchanged in a controlled manner. FIG, 8 pertains to client -side operations, FIGs. 9A - 9C pertain to proxy server 
operations, and FIG. 10 pertains to content server operations, 

[0051] Figure 8 is a flow diagram of client-side location reporting 800 according to one embodiment of the invention. 

so The client-side location reporting 800 is performed by a client device. The client-side location reporting 800 initially 
establishes 802 an authorization agreement with a proxy server. The authorization agreement with the proxy server 
ailows the proxy server to negotiate privacy agreements with content servers on be naif of the client device. A decision 
804 then determines whether a request is to be issued. When the decision 804 determines that a request is to be 
issued, a HLO is attached 806 to the request. Here, the request typically includes at least a URL which designates the 

js resource being requested and the HLO is attached to the request. More generally, private information (e.g., HLO) is 
attached to the request. The request is then sent 808 through the proxy server. 

{0052 j A decision 810 determines whether a response has been received. Here, the client-side location reporting 
BOO is awaiting a response from the content server via the proxy device. Once the decision 81 0 determines that a 
response has been received, the response is processed 812, After the response is processed 812, the client-side loca- 
te tion reporting 800 is complete and ends because the issued request has been satisfied, 

[0053} Figures 9A - 9C are flow diagrams of proxy location processing 900 according to one embodiment of the 
invention. The proxy location processing 900 is, for example, performed by a proxy server. 

[00543 The proxy location processing 900 initially establishes 902 an authorization agreement with the client 
device. Here, the proxy server Interacts with the client device to establish an authorization agreement which authorizes 

4$ the proxy server to negotiate privacy agreements for the client device with respect to content servers. A decision 904 
then determines whether a request has been received. Here, the proxy server awaits receipt of requests from client 
devices. When the decision 904 determines that a request has been received, the request is parsed 906 to obtain the 
particular URL associated with the request and a HLO {or other sensitive information). In some situations, the request 
will not include the HLO as it could be sent periodically or after it has changed to reduce overhead traffic. However, 

so when the HLO Is provided, it is parsed 908 from the request and then stored 908 to a location manager. The location 
manager is provided within the proxy server to manage the location of the client devices serviced by the proxy server 
(sea Figure 2, location manager 224). 

[0055} A decision 910 then determines whether an existing privacy agreement exists for the particular URL. The 
decision 910 could also determine whether or not a privacy agreement is even needed for the particular URL. in any 
as case, when the decision 910 determines that there is no existing privacy agreement in place for the particular URL, then 
the particular URL is requested 912 from the content server without any sensitive information. Although the URL has 
been requested, the content server will not service the request because there is no existing privacy agreement for the 
particular URL, Hence, the content server will return a proposed privacy agreement as weii as a ALO request {or sen- 
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siiive information request). Thus, a decision 314 determines whether the proposed privacy agreement and the ALO 
request have been received. When the decision 914 determines that the proposed privacy agreement and the ALO 
have not yet been received, the decision 814 causes the proxy location processing 900 to await their receipt. Once the 
proposed privacy agreement and the ALO request have been received, the proposed privacy agreement is examined 

5 918, Upon being examined, the proxy server can determine at decision 918 whether it can automatically agree to the 
proposed privacy agreement on behalf of the client device, When the decision 91 8 determines that it cannot automati- 
cally agree to the proposed privacy agreement, manual negotiation 820 is performed between the dient device, the 
proxy server, and the content se rver so that a privacy agreement can be reached. Aiternatively, when the decision 918 
determines that an automatic agreement can be made, the manual negotiation 920 is bypassed. 

to [0056] At this point, whether by automatic agreement or manual negotiation, a privacy agreement has been 
accepted or an error has occurred. The error can be that an agreement could not be reached and thus the request fails. 
Here, a decision 922 can determine whether an error is returned by the content server. When art error is returned, then 
the proxy server forwards 924 a response Indicating an error to the client device. Alternatively, when the decision 922 
determines that an error is not returned (and thus an agreement was reached), the proxy location processing 900 

rs returns to block 91 0 so that the request can be satisfied now that a privacy agreement has been agreed upon. 

[005?) Once the decision 81 0 determines that there is a privacy agreement for the URL, additional processing is 
then carried out by the proxy location processing 300 to provide location information to the content server and obtain a 
response for the client device. Specifically, after a privacy agreement is put in place, the proxy server obtains 928 the 
ALO from the location manager. The ALO represents the location manager's best estimate for the ciient device upon 

20 taking into consideration the HLO and the NLO, Then, the ALO is attached 928 to the request. The request is then sent 
930 to the content server. A decision 932 then determines whether a response has been received from the content 
server. When the decision 932 determines that a response has not yet been received, the proxy location processing 
900 awaits such a response. Once the decision 932 determines that a response has been received, the response is 
forwarded 934 to the client device. After the response has been forwarded 834, the proxy location processing 900 is 

ss complete and returns to block 904 to process another request. 

[0058] Figure 1 0 is a flow diagram of server-side location processing 1 000 according to one embodiment of the 
invention. The server-side location processing 1 000 is, for example, performed by a content server, 
[0059] The server-side location processing 1000 begins with a decision 1002 that determines whether a request 
has been received. In other words, the server-side location processing 1000 is initiated or activated when a URL is 

3o requested. After a request has been received, the request is parsed 1 004 to obtain the URL and, if present, the ALO, 
A decision 1006 then determines whether the ALO is present. When the decision 1006 determines that the AlO is not 
present, the content server sends 1008 a proposed privacy agreement to the proxy server. The proposed privacy 
agreement is a proposed agreement in which the content server specifies how private data is to be used by the content 
server. Next, a decision 1 01 0 determines whether an agreement has bean reached between the content server and 

as either the client device or proxy server. When the decision 1010 determines that an agreement has not yet been 
reached, the content server sends 1014 a response to the proxy server indicating an error (e.g., error because no 
agreement was able to be reached). On the other hand. If the decision 1010 determines that an agreement has been 
reached, the content server sends 1 014 a response to the proxy server requesting a re-send of the request Following 
either biock 1 012 or 1 014, the server-side location processing 1 000 is complete and ends for the particular request 

■40 [0060] On the other hand, when the decision 1006 determines thai the AiO is present, the ALO is stored 1016. 
When the content server receives an ALO with a request, it indicates that a privacy agreement is in place. The 
requested content associated with the URL is then obtained 1018, The requested content might differ depending on the 
ALO provided with the request. Next, a response with the requested content is sent 1020 to the proxy server. In other 
words, after a privacy agreement has been reached between the content server and the client device or proxy server, 

45 a request for content from the content server can be received and carried out in accordance with the terms of the pri- 
vacy agreement. After the response has been sent 1 020, the server-aide location processing 1 000 is complete and 
ends. 

[0061] The proxy server can establish privacy agreements with content servers (service providers) in at least two 
ways. A first way is through configuration in which a carrier can manage a list of realms (e.g., URLs) that are allowed 

so location reporting. Although the realms would typically be stored with the proxy server. If space for storage were avail- 
able on the client device to store the realms, the location information could be sent only when actually needed by out- 
standing privacy agreements. The second way is through negotiation in which the proxy server acts as a proxy for 
agreement negotiation, in one implementation, the agreement negotiation can be in accordance with P3P. The negoti- 
ation can be simple or complicated depending upon the implementation. 

55 [0062] After an agreement is in place, the location data can be sent as rneta-daia within the headers of the request:, 
If the client device, namely, the browser operating in the client device, knows Its location (i.e., HLO), the client device 
can send its location to the proxy server with each request. However, to optimise use of data transmission, the client 
device (or browser) can send the HLO only when it changes. For example, if the client device only Knows that the cell 
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ID in the wireless network has changed, then it could report as it moves between cells. Alternatively, the proxy server 
(or other Position Determining Equipment (PDE) in the network) can ask the client device for its location (e.g., out-of- 
band location}. As another example, in the case of latitude/longitude information, the server could tune for overhead 
improvement by negotiating the granularity of location that it cares about. For example, if the server says only ask for a 
s one mite radius, the mobile station would only report a new location after it had moved more than a mils. Also, if the 
proxy server knows the focation of the client device (ALO) and the requested URL is in one of the realms of an existing 
agreement, the proxy server can proceed to attach the location to the request. Also note that in some situations, the 
privacy agreement could preclude (or control) attachment of other type of data to the request (e.g., subscriber identifier 
or other related information), 

to [0063] When the proxy server decides to attach location data to a request, the following procedures can be per- 
formed. First, if the wireless network provides location data, the proxy server requests the client device's location from 
the network {i.e., NLO). . Thereafter, the HLO and NLO are reconciled to present the "location'', namely the ALO. The 
"location" can also be influenced based on granularity and accuracy. 

[0064] In addition, passive location reporting can be performed, in a simple implementation, a command may be 

<s sent to the client device to cause it to invoke a URS with its current location. Alternatively, the client device {browser) and 
proxy server could include a status repotting mechanism in which, whenever the location changes more than the gran- 
ularity, the browser reports the location change to the proxy server by invoking a predetermined URi. The proxy server 
couid include a list ot application URis to invoke tor status changes. Hence, the status change could be initiated by the 
proxy server; either by the browsers invocation of fhe special predetermined URI or by signal from the network that the 

2f> client device has moved. 

[0O6SJ The invention can also be embodied as computer readable coda on a computer readable medium. The com- 
puter readabla medium is any data storage device that can store data which can thereafter be read by a computer sys- 
tem. Examples of the computer readable medium include read-only memory, random-access memory, CD-ROMs, 
magnetic tape, optical data storage devices. The computer readable medium can also be distributed over a network 

ss coupled computer systems so that the computer readable code is stored and executed in a distributed fashion, 

[0086] The advantages of the invention are numerous. Different embodiments or implementations may yield one or 
more of the following advantages. One advantage of the invention is that subscribers to networks (e.g., wireless net- 
works) can control the release of their information over the networks. Another advantage of the invention is that client 
devices (subscribers) of networks can control the release of their information with respect to server devices on the net- 

30 works. Still another advantage of the invention is that a proxy server can negotiate privacy agreements on behalf of cli- 
ent devices. Yet another advantage of the invention is that a proxy server can transform various location data formats 
without: exposing confidential network topology information, 

[0067] The many features and advantages of the present invention are apparent from the written description and, 
thus, it is intended by the appended claims to cover all such features and advantages of the invention. Further, since 
as numerous modifications and changes will readily occur to those skilled in the art. it is not: desired lo limit the invention 
to the exact construction and operation as illustrated and described. Hence, all suitable modifications and equivalents 
may be resorted to as failing within the scope of the invention, 

Claims 

40 

1, A method for controlling exchange of private information associated with a ciient device, said method comprising;- 

(a) receiving a request from the client device; 

(b) determining whether a privacy agreement Is needed to respond to the request; 

43 (c) negotiating a privacy agreement that governs the exchange of the private information when said determin- 

ing step p) determines that a privacy agreement is needed: and 
(d) thereafter producing a response to the request. 

2, A method as recited in claim 1 wherein the private information includes location information of the client device, 

so 

3, A method as recited in claim 1 or 2 wherein said producing step (d) comprises;- 

{d1) receiving the private information associated with the client device; and 

fd2) producing the response to the request based at least in part: on the private Information. 

55 

4, A method tor exchanging private information associated with a ciient device to a server device via a proxy server, 
said method comprising:- 
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establishing an authorization agreement that enables the proxy server to negotiate privacy agreements with 
server devices on behalf of the client device; 
receiving a request at the proxy server; 

receiving a proposed privacy agreement from the server device associated with the request; 
s accepting the proposed privacy agreement as a privacy agreement by the proxy server for the client device 

when in accord with the authorization agreement; and 

providing the private information to the server device after establishment of the privacy agreement. 

A method as recited in c'aim 4 wherein said method further comprises:- 

negotiating the privacy agreement by the proxy server for the client device when not in accord with the author- 
ization agreement, and 

wherein said providing the private information to the server device is performed after said accepting of the pro- 
posed privacy agreement as the privacy agreement or after said negotiating of the privacy agreement. 

A method for controlling exchange of private information associated with a client device supported by a carrier net- 
work infrastructure, said method comprising:- 

(a) receiving a request from the client device, the request being directed to a server device; 
so (b) determining whether a privacy agreement is needed to respond to the request; 

(c) determining whether the server device is authorized to receive the private information associated with the 
client device when said determining step (b) determines that a privacy agreement is needed; and 

(d) providing the private information to the server device associated with the request when said determining 
step (c) determines that the server device is authorized to receive the private information associated with the 

ss client device. 

7. A method as recited in claim 6 wherein the client device is a wireless client device, and wherein the private infor- 
mation includes location information of the client device. 

jo 8, A system for controlling information exchange between a wireless client device and server devices, the wireless cli- 
ent device being supported by a wireless network, said system comprising:- 

a proxy server device opemtivefy connected between the wireless client device and the server device, said 
proxy server device manages distribution of private information associated with the wireless client device to the 
3s server devices, said proxy server device includes at feast 

a storage area, said storage area stores information received from at least one of the wireiess client device and 
from the wireless network; and 

a privacy manager, said privacy manager operates to restrict the release of the information received from the 
wireless client device and the wireless network to the one or more of the server devices unless a suitable pri- 
«j vacy agreement governing the use of the information is in place for the one or more server devices. 

9. A computer readable medium including computer program code for exchanging private information associated with 
a client device to a server device via a proxy server, said computer readable medium comprtsing*.- 

45 computer program code for establishing an authorization agreement that enables the proxy server to negotiate 

privacy agreements with server devices on behalf of the client device; 
computer program code tor receiving a request at the proxy server; 

computer program code for receiving a proposed privacy agreement from the server device associated w'rth the 
request; 

so computer program code for accepting the proposed privacy agreement as a privacy agreement by the proxy 

server forthe client device when in accord with the authorization agreement; and 

computer program code for providing the private information to the server device after establishment of the pri- 
vacy agreement 

55 10. A computer readable medium including computer program code for controlling exchange of private information 
associated with a client device supported by a carrier network infrastructure, said computer readable medium com- 
prising;- 



13 



EP 1 081 916 A2 



computer program code tor receiving a request from the client device, the request being directed to a server 
device; 

computer program code for determining whether the server device is authorized to receive the private informa- 
tion associated with the client device; and 
5 computer program code for providing the private information to the server device associated with the request 

when said determining determines whether the server device is authorized to receive the private information 
associated with the ciient device determines that the server device is authorized to receive the private informa- 
tion associated with the client device. 
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